Keeping workers safe in a manufacturing environment demands a healthy respect for the sometimes dangerous interactions between humans and machinery. Fortunately, when it comes to fluid-power systems, once-simple components such as safety-related valves have evolved into highly sophisticated devices.

The primary concern with fluid-power circuits is usually how to remove pneumatic or hydraulic energy from a device or system, so workers can safely access or service equipment. Manufacturers typically incorporate additional dump or exhaust valves specifically for this purpose.

But not all approaches to fluid-power safety are the same. To determine what is needed, manufacturers must perform a risk assessment of the machine to define the hazard level. Armed with this information, engineers can then determine just how critical the valve function is within the circuit, and specify the proper safety system.

Traditional approaches
Decades ago, machine builders routinely used simple 3-port, 2-position, normally-closed (non-passing) solenoid valves to help minimize risk during machine operation and servicing. The valves generally had a poppet-type construction, instead of a spool. That’s because poppet valves are less apt to stick in the open position, due to the poppet’s spring and inlet pressure bias to the closed position.

Despite more-robust performance characteristics, however, it is still possible that a poppet-valve element could become sluggish or stick in a partially open (passing) position. Depending on the circuit, such a condition might not be detected during normal machine operation. For instance, if a poppet valve serves as a dump valve and also supplies other control valves, then so long as those other control valves continue to function properly, the machine will operate normally even though the dump valve does not remove the stored energy as expected. The exhausting portion of the circuit would not function as it should, yet operators or maintenance personnel may not be aware of this abnormal condition.

Traditionally, manufacturers used two common methods to overcome this phenomenon. One approach added a monitoring device to the valve, to detect improper functioning. This would typically be a limit, proximity, or pressure switch. Such monitoring devices need to be integral to the valve, designed for safety-related applications, and thoroughly tested.

An add-on monitoring device such as this would, indeed, indicate improper valve function but would not help detect or predict an impending valve failure. The valve could still break down and possibly impair the fail-safe aspects of the circuit. The monitor would merely indicate that the valve had failed. This may still be a suitable fail-safe outcome if the risk is minimal, but it is not generally considered acceptable in high-risk situations.

The second approach involves adding a second, “redundant,” valve in series or parallel with the first valve. With redundancy, a single valve breakdown would not affect normal operation of the circuit, because the redundant valve would perform the required function and maintain normal equipment operation.

The potential problem with this approach is that, again, the loss of functionality of a single valve could remove redundancy from the circuit. Despite redundant valves, the system still depends on a single functioning device to perform normal operations. Redundancy alone provides no assurance that anyone is aware of the loss of redundancy within the circuit, should it occur.

Combined approach
The next evolution in valve safeguarding practices combined these two earlier approaches and involved monitoring redundant valves. This detects the loss of functionality in one valve while a second valve continues to operate normally. Maintenance personnel would be aware of the failure and could address the problem. Repairing or replacing the failed valve would restore circuit redundancy.

Despite this benefit, however, it does not necessarily mean monitored redundancy will provide the necessary level of machine safeguarding. Engineers must take into account other factors when assessing machine safety and risk.

Safeguarding machines
The first consideration involves properly understanding the flow paths through the valves themselves. If the goal is to remove stored energy within a specific time interval, it is important to ensure a valve malfunction would not increase the exhaust time. This is especially important for stop functions. If the valve’s internal components (in series or parallel) stop in any open position, or slow down during their normal stroke range, this may compromise the valve’s exhausting capability. Compressed air may not fully exhaust and may continue to flow to the system. Engineers must know these modes and crossover conditions within the valves when selecting a valve for a safety-related
application.

To address these risk modes, fluid-power companies developed valves with two sets of independent yet integrated elements and crossing flow paths. These double valves have the inlets in series but the exhausts in parallel. This provides an AND logic function to the supply portion of the valve elements and an OR logic function to the exhaust portion of the valve. This is the optimal situation in a redundant circuit.

The second consideration when assessing machine safeguarding is to determine the valve’s response time. A properly functioning machine safeguarding system removes stored energy quickly, to stop operations in a timely manner and avoid potentially hazardous situations. It is critical that any valve malfunction does not increase the machine stopping time.

Here, valve malfunctions can include a slower valve response which may increase the stored energy removal time which, in turn, increases the machine stopping time. An increase in stopping time could also reduce the effectiveness of electrical safety devices, such as light curtains, whose correct mounting positions depend on the machine stopping time. If this time increases, these devices may now be too close to the point of operation and increase risk to the operator.

Given that valves typically exhibit slower response times prior to outright breakdown, it is advantageous to monitor the reaction speed of the valves or of individual valve elements. Further, response timing must be monitored during energy activation and, even more important, during energy deactivation — because that is when stored energy actually exhausts from the system. If response time exceeds specified limits, then the valve has not performed as expected.

The valve-monitoring system should, ideally, detect such a “diminished performance” condition. Monitoring capabilities can be integrated into the valve or rely on external sensing devices. However, during control-circuit design, it is important that engineers account for the external monitoring device’s response timing or inherent delays.

Acknowledging faults
The final question to consider during a machine safeguarding assessment: What happens when an abnormality is detected? Say, for example, the monitor (whether internal or external) detects that a single element has not worked properly, yet the overall system continues to operate because of the redundant valves. The abnormal condition means the control circuit relies on a single valve or valve element to operate properly. Even though the system is still functional, the benefit of redundancy is lost. Therefore, the monitoring system should require that the valve or equipment controller inhibit further operation and require an overt act to reset the valve and system.

By requiring an overt act to reset, responsible on-site operators or maintenance technicians must acknowledge the abnormal condition. They can then investigate and correct any problems.

A valve abnormality that occurs and is automatically reset is unacknowledged. Recurring, unacknowledged abnormalities may be happening with every cycle of the control circuit but remain unknown to operators and maintenance personnel. If this is due to an abnormality in one of the valve elements, the system gradually becomes dependant on a single element functioning properly and valve redundancy has effectively been removed. It is possible that machine operation is not affected because a single element functions properly and stored energy gets removed as expected.

For example, a normally functioning machine might have a sluggish valve element that is automatically reset on every cycle of the valve. This results in the circuit repeatedly depending on a single element. This is unacceptable for a higher-level, safety-related system where the accumulation of undetected abnormalities must not degrade safety. Inhibiting equipment operation and requiring an overt act to correct the circuit abnormality bring circuit issues to the attention of personnel responsible for investigation, correction, and human welfare in the manufacturing plant.

Eric Cummings is a Global Safety Industry Manager at Ross Controls, Troy, Mich., a manufacturer of pneumatic valves, control systems and safety-related products. Learn more at www.rosscontrols.com.